Verification of Succinct Hierarchical State Machines

Transcription

1 Verification of Succinct Hierarchical State Machines Salvatore La Torre 1, Margherita Napoli 1, Mimmo Parente 1, and Gennaro Parlato 1,2 1 Dipartimento di Informatica e Applicazioni Università degli Studi di Salerno, Italy 2 University of Illinois at Urbana-Champaign, USA Abstract. A hierarchical state machine (HSM) is a finite state machine where a vertex can either expand to another hierarchical state machine (box) or be a basic vertex (node). Each node is labeled with atomic propositions. We study an extension of such model which allows atomic propositions to label also boxes (SHSM). We show that SHSMs can be exponentially more succinct than HSMs, and verification is in general harder by an exponential factor. Also, we show for a subclass of SHSMs (which can still be exponentially more succinct than HSMs) the same upper bounds as for HSMs. 1 Introduction Finite state machines (labeled finite transition systems) are widely used for modeling the flow of control of digital systems and are appealing to formal verification such as model checking [CE81,CK96]. In model checking, a high-level specification is expressed by a formula of a logic and is checked for fulfillment on an abstract model of the system. Though a typical solution to this problem is linear in the size of the model, it is computationally hard since the model generally grows exponentially with the number of variables used to describe the system (state-space explosion). As a consequence, an important part of the research on model checking has been concerned with handling this problem. Hierarchical structures are naturally present in complex systems where simple modules usually form a hierarchy. Representing such systems as standard transition graphs introduces some redundancy which can be avoided by modeling them as hierarchical state machines [AY01]. A hierarchical finite state machine is a finite state machine where a vertex can either expand to another hierarchical state machine (box) or be a basic vertex (node). Each node is labeled with atomic propositions (AP ) and the outcomes of the model thus generate sequences over 2 AP. Complexity of model-checking is discussed in [AY01] and the succinctness of the model compared to standard finite state machines is addressed in [AKY99]. This research was partially supported by the MIUR grant ex-60% , Università degli Studi di Salerno.

2 In this paper, we consider a variation of the hierarchical state machines, where also boxes are labeled with atomic propositions. The intended meaning of such labeling is that when a box v expands to a machine M, all the vertices of M inherit the atomic propositions which hold true at v (context), so that different vertices expanding to M can place M into different contexts. With such more general labeling, we show that it is possible to obtain models of systems which are exponentially more succinct than hierarchical state machines. Therefore, we call them Succinct HSMs (SHSMs). We recall that a restricted version of an SHSM, denoted CHSM (Context-dependent HSM), is considered in [LNPP03]. There, an atomic proposition which labels a box b cannot label the vertices of any of the machines which directly or indirectly expand from b. We also prove that SHSMs can be exponentially more succinct than CHSMs. We study the complexity of verification for SHSMs. In particular, we consider basic verification questions such as reachability and cycle detection, and the model-checking problem against Ltl [Pnu77] and Ctl [CE81] specifications. We show that for an SHSM M and a formula ϕ: Ltl model-checking is Pspace-complete and can be solved in O( M 16 ϕ ) time; Ctl model-checking is Exptime-complete and can be solved in O( M 4 ϕ d ) time where d is the maximum number of exit nodes of M. We also show that reachability and cycle detection are both NP-complete. From the results shown in [AY01] for hierarchical state machines, we get time complexities increased by an O(2 ϕ ) factor which is exactly what we gain in succinctness. However, we also show that things improve when we place some restrictions on the SHSM and the formula expressing the target set in the reachability and cycle detection problems. In particular, we show that Ltl model-checking of CHSMs can be solved in O( M 8 ϕ ) time, and if the target formula conforms with the structure of the SHSM (resp. CHSM), reachability and cycle detection can be solved in linear time. There are several papers in the literature that concern with hierarchical state machines. In [AGM00,AMY02], the verification tool HERMES which is based on hierarchical state machines is discussed. Hierarchical state machines with recursive expansions of nodes (recursive state machines) are studied in [ABE+05] and a corresponding temporal logic is introduced in [AEM04]. Recursive state machines turn out to be equivalent to pushdown automata [ABE+05]. Recursive calls and context-dependent properties are considered in [LNPP03], where also CHSMs are introduced as a restriction of the corresponding recursive model and some complexity results on verification are derived from those obtained on the recursive model. Here, we revisit such results and compare CHSMs to SHSMs. The impact of concurrency is studied in [AKY99,LMP04] for hierarchical state machines and in [BLP06] for recursive state machines. Finally, modular control synthesis for recursive state machines is studied in [ALM03a,ALM03b]. 2 The Model Given a set AP of atomic propositions, a Kripke structure over AP is a rooted directed graph whose vertices are labeled with the atomic propositions holding

3 true in that vertex. In this paper, we model a system by a hierarchically structured graph, where vertices can be either simple nodes or placeholders for other graphs. We formally define such graphs as follows. Definition 1. A Succinct Hierarchical State Machine (SHSM) over AP is a tuple M = (M 1,..., M k ), each M i = (N i, in i, out i, true i, expn i, E i ) is called machine and consists of: a finite set of vertices N i, an initial vertex in i N i and a set of output vertices out i N i ; a labeling function true i : N i 2 AP that maps each vertex with a set of atomic propositions; an expansion mapping expn i : N i {0, 1,..., k} such that expn i (u) < i, for every u N i, and expn i (u) = 0, for every u {in i } out i ; a set of edges E i where each edge is either a pair (u, v), with u, v N i and expn i (u) = 0, or a triple ((u, z), v) with u, v N i, expn i (u) > 0, and z out expni (u). We assume that the sets of vertices N i are pairwise disjoint. The set of all vertices of M is N = k i=1 N i. The mappings expn : N {0, 1,..., k} and true : N 2 AP extend the mappings expn i and true i, respectively. If expn(u) = j > 0, the vertex u expands to the machine M j and is called box. When expn(u) = 0, u is called a node. Let us define the closure expn + : N 2 {0,1,...,k}, as: h expn + (u) if either h = expn(u) or there exists u N expn(u) such that h expn + (u ). We say that a vertex u is an ancestor of v, and v is a descendant from u, if v N h and h expn + (u). Let us note that contrarily with what happens in Kripke structures, in this model the atomic propositions not labeling u are not necessarily to be intended false (in Sect. 3 we define the function false(u) of the atomic proposition which can be stated false at u). As an example of an SHSM M see part (a) of Fig. 1, where p 1, p 2, p 3 are atomic propositions labeling nodes and boxes of M, e i and x i are respectively entry nodes and exit nodes for i = 1, 2, 3, and expn(b i j ) = j 1 for i = 0, 1 and j = 2, 3. A hierarchical state machine (HSM) is an SHSM where true(u) =, for every box u [AY01]. A context-dependent HSM (CHSM) M = (M 1,..., M k ) is an SHSM where true(u) true(v) =, for every u, v N such that u is an ancestor of v [LNPP03]. Observe that the SHSM of Fig. 1 is also a CHSM but is not a HSM. The semantics of an SHSM M is given by defining an equivalent Kripke structure, denoted M F. The Kripke structure M F. A sequence of vertices α = u i u i+1 u j, 0 < i j, is called a well-formed sequence if u l+1 N expn(ul ), for every l = i,..., j 1. Moreover, α is also complete when u i N k and u j is a node. A state of M F is α where α is a complete well-formed sequence of M. Note that the length of a complete well-formed sequence is at most k, therefore the number of states of M F is at most exponential in the number of vertices of M. The initial state of M F is in k, where in k is the initial vertex of M k.

4 M 3 e 3 b 0 3 b 1 3 {p 3 } x 3 {p 3, p 2, p 1 } e 3 b 0 3, e 2 b 0 3, b0 2, e 1 {p 2, p 1 } {p 2 } {p 1 } M 2 b 0 3, b1 2, x 1 b 0 3, b1 2, e 1 b 0 3, b0 2, x 1 e 2 b 0 2 b 1 2 x 2 {p 2, p 1 } {p 3 } {p 3 } {p 2, {p b 0 b 1 3, x 2 3, e 2 } 2 b 1 p 1 } 3, b0 2, e 1 M 1 {p 3, p 2, p 1 } {p 3, p 2 } {p 3, p 1 } e 1 x 1 b 1 3, b1 2, x 1 b 1 3, b1 2, e 1 b 1 3, b0 2, x 1 {p 1 } {p 3, p 2, p 1 } {p 3, p 2, p 1 } b 1 3, x 2 x 3 (a) (b) Fig. 1. An SHSM M and the Kripke structure obtained by flattening M. Transitions of M F are obtained by using as templates the edges of M: there is a transition from a state αβ to a state αβ if and only if (β, β ) denotes an edge of M. Part (b) of Fig. 1 shows the Kripke structure which is equivalent to the SHSM from part (a) of the same figure. We give a precise construction of M F in the following. Given an SHSM M = (M 1,..., M k ), note that the tuple M h = (M 1,..., M h ), 1 h k, is an SHSM as well, and M k = M. We now sketch how to compute recursively the flat Kripke structures M F h, and thus MF. We start with M F 1 which is obtained from machine M 1 by simply replacing each vertex u with a state u labeled with true( u ) = true(u) (recall that by definition all vertices of M 1 are nodes). Thus, for each edge (v, w) E 1 we add a transition ( v, w ) in M F 1. For h > 1, M F h is obtained from M h by simply replacing each box u of M h with a copy of the Kripke structure M F expn(u). More precisely, for each node u N h, u is a state of M F h which is labeled with true(u). For each box u N h and state α of M F expn(u), uα is a state of MF h and is labeled with true(u) true( α ). The transitions of M F expn(u) are all inherited in MF h, that is, there is a transition ( uα, uβ ) in M F h for each transition ( α, β ) of M F expn(u). The remaining transitions of MF h correspond to the edges of M h: for each node v N h and edge (u, v) E h (resp. ((u, z), v) E h ) there is a transition from u (resp. uz ) to v ; for each box v N h and edge (u, v) E h (resp. ((u, z), v) E h ) there is a transition from u (resp. uz ) to v in expn(v). A vertex u expanding into M h is a placeholder for M F h and determines a subgraph in M F isomorphic to M F h. If two distinct vertices u 1 and u 2 both expand into the same machine M h, that is expn(u 1 ) = expn(u 2 ) = h, then the states of

5 M h e h b 0 h b 1 h x h M i, i = 2,..., h 1 M 1 e 1 e i p h {p 1,.. b 0 i b 1 i.., p h } x 0 1 p 1 x 1 1 {p 1,..., p h } b 2 i {p i,..., p h } p i x 0 i {p 1,..., p i} x 1 i {p 1,..., p h } Fig. 2. An SHSM M h such that L(M h, ϕ h ) = L 2 h. M F h appear in MF in two different contexts, labeled possibly by different sets of atomic propositions: in one context this set contains true(u 1 ) and in the other it contains true(u 2 ). Succinctness of the model. Observe that being able to represent with a single machine M h more than one subgraph of M F, our model in general is more succinct than a traditional Kripke structure. Box labeling further improve on this. In fact in a situation as described above, the two copies of M F h in MF, though labeled in a different way, can be represented in an SHSM by the single machine M h, while they should be represented by two different machines in a HSM. Before stating this more formally, we need some definitions. Given a transition graph with states labeled by subsets of atomic propositions and a state X, a trace is an infinite sequence σ 1 σ 2... σ i... of labels of states occurring in a path starting from X. Moreover, given an SHSM M, we define the language L(M) as the set of the infinite traces of M F starting from its initial state. Moreover, for a boolean formula ϕ over the atomic propositions AP, we denote by L(M, ϕ) the set of traces in L(M) containing a label which fulfills ϕ. In the rest of this section, for h 0 we fix a set of atomic propositions Σ h = {p 1,..., p h } and for a subset σ Σ h, define (σ) = p i σ 2i 1 (in particular, ( ) = 0). Proposition 1. CHSMs can be exponentially more succinct than HSMs and finite state machines. Proof : Consider the family of languages L 1 h of traces σ 1... σ n... over 2 Σ h such that: σ 1 = ; for i < n, σ i = σ i+1 or (σ i+1 ) = (σ i ) + 1; and (σ n ) = 2 h 1. Let ϕ h = p 1 p h. For h = 3, a CHSM M such that L(M, ϕ 3 ) = L 1 3 is given in Fig. 1. It is easy to see that M can be generalized to a CHSM M h such that L(M h, ϕ h ) = L 1 h, and M h = O(h). Since there are 2 h different labels that need to be taken into account, we have that any hierarchical or finite state machine M h such that L(M h, ϕ h) = L 1 h requires at least 2h different nodes. There is an exponential gap also between CHSMs and SHSMs as shown in the following proposition. Proposition 2. SHSMs can be exponentially more succinct than CHSMs.

6 Proof : Consider the family of languages L 2 h of traces σ 1... σ n... over 2 Σ h such that: σ 1 = ; (σ n ) = 2 h 1; and for i < n either σ i = σ i+1, or (σ i+1 ) = (σ i )+1, or for some 1 j h, {p 1, p 2... p j 1 } σ i, p j σ i and σ i+1 = {p j,..., p h }. Let ϕ h = p 1 p h. An SHSM M h such that L(M h, ϕ h ) = L 2 h is given in Fig. 2, where p 1,..., p h are atomic propositions labeling nodes and boxes of M, e i and x j i are respectively entry and exit nodes, and expn(bj i ) = i 1. It is easy to check that M h = O(h). To complete the proof it suffices to show that any CHSM M h such that L(M h, ϕ h) = L 2 h has size exponential in h. Fix σ 1, σ 2 Σ h such that p j σ 1 σ 2, {p 1,... p j 1 } σ 1 σ 2 and there is an atomic proposition p l, l > j, such that p l σ 1 and p l σ 2. Let M h be any CHSM such that L(M h, ϕ h) = L 2 h. From the definition of L 2 h and being σ 1 σ 2, there are three different states s 1, s 2, s 3 of M hf such that s 3 is a successor of s 2, true(s i ) = σ i for i = 1, 2 and true(s 3 ) = {p j,..., p h }. For i = 1, 2, let s i = α i b i u i where u i are nodes, b i are boxes, and α i are sequences of boxes. Observe that from the definition of CHSM if p l labels any of the boxes in α 1 it cannot label any vertex of the machines to which either b 1 or u 1 belongs. Thus, either b 1 b 2 or u 1 u 2 must hold otherwise we get the contradiction that also s 3 (being a successor of s 2 in M hf ) cannot be labeled with p l. Therefore, for each pair of different sets σ 1 and σ 2 as above, there are two different vertices of M h. Since we can choose σ 1 and σ 2 among 2 h j many different sets, we can conclude that any CHSM M h such that L(M h, ϕ h) = L 2 h must have at least 2h j different vertices. Therefore, if we pick j = 1 we get that such M h must have at least 2h 1 different vertices, and the proposition is proved. It is worth noting that the mentioned succinctness results do not add up to each other, in the sense that it is not true that SHSMs can be doubly exponentially more succinct than HSMs. In fact, HSMs, CHSMs and SHSMs can all be translated to equivalent finite state machines with a single exponential blow-up. From Proposition 1 and the fact that any CHSM is also an SHSM, we have the following. Corollary 1. SHSMs can be exponentially more succinct than HSMs and finite state machines. 3 Reachability and Cycle Detection In this section we deal with reachability and cycle detection on SHSMs. We start defining the problems. Then, we show that they are NP-complete and discuss some conditions which allow us to give an efficient solution. Given an SHSM M = (M 1,..., M k ) and a propositional boolean formula ϕ, Reach(M,ϕ) is the problem of deciding if there exist a state X in M F on which ϕ is satisfied and a path in M F from in k to X. The problem Cycle(M,ϕ) is the problem of deciding if there exist a state X in M F at which ϕ is satisfied, a path from in k to X and a path from X to itself. NP-completeness. We first show NP-hardness. As stated in the following lemma, NP-hardness holds even when the formula is very simple.

7 Lemma 1. Given an SHSM M and a formula ϕ expressed as a conjunction of literals, the problems Reach(M,ϕ) and Cycle(M,ϕ) are NP-hard. Proof : First, we observe that as the intuition suggests, Cycle(M,ϕ) can be polynomially reduced to Reach(M,ϕ). Thus, to show the lemma we reduce 3- SAT to the problem Reach(M,ϕ). Let ψ be a 3-SAT formula ψ = C 1 C n, over a set of atomic propositions AP = {P 1,..., P k }, where each C i is a disjunction of three literals. We construct an SHSM M = (M 1,..., M k ), on the set of atomic propositions AP = {c 1,..., c n }, as follows: each M i, i 1, has four vertices forming a line: in i, p i, notp i and out i. The vertex p i is labeled c j, if P i occurs in the clause C j, while the vertex notp i is labeled c j if P i is in C j. For i > 1, p i and notp i are boxes expanding into M i 1, having edges ((p i, out i 1 ), notp i ) and ((notp i, out i 1 ), out i ). Vertices p 1 and notp 1 are nodes. Define ϕ = c 1 c n. It is not difficult to verify that ψ is satisfiable if and only if there exists a reachable state of M F at which ϕ is satisfied. To show membership in NP, we introduce the notions of path and cycle on SHSMs. In the following, given a box u N h, out(u) is the set of all vertices z out expn(u) such that ((u, z), v) E h, for some v N h. Moreover, with [u, z] we denote a pair such that either u is a node and z = ɛ or u is a box and z out(u). Let M = (M 1,..., M k ) be an SHSM. A H-path from a pair [u 1, z 1 ] to a vertex u r in M h, is a sequence of pairs [u 1, z 1 ] [u 2, z 2 ]... [u r 1, z r 1 ] such that for every 1 j < r, u j N h and one of the following cases occurs: either u j is a node and (u j, u j+1 ) E h, or u j is a box, ((u j, z j ), u j+1 ) E h and there is a H-path from [in expn(uj ), ɛ] to z j in M expn(uj ). In the following, when we refer to a H-path in M h, we sometimes omit the reference to a machine M h since it is univocally determined by the vertices u 1,..., u r. Moreover, we say that a vertex u N h is H-connected if either u = in h or there is a H-path from [in h, ɛ] to u. Observe that if a node u N h is H-connected then there exists a path from in h to u in the Kripke structure M F h, while if a box u is H-connected, a path exists from in h to u in expn(u). Hence, if a vertex u is H-connected, this in turn means that there exists a path from α in h to either αu or αu in expn(u) in M F, for any well-formed sequence α = ɛ or α = u 1... u j, with expn(u j ) = h. On the other side, note that if there exists a path in M F from in k to a state u 1... u m, then there are paths from u 1... u j 1 in expn(uj 1 ) to u 1... u j 1 u j in expn(uj ) for j = 1,..., m 1 and from u 1... u m 1 in expn(um 1 ) to u 1... u m 1 u m. Therefore, all vertices u j for j = 1,..., m are H-connected. These observations prove the following proposition. Proposition 3. Given an SHSM M = (M 1,..., M k ), let X = u 1 u 2... u m be a state of M F. There is a path from in k to X in M F if and only if all the vertices u i are H-connected. A H-cycle in an SHSM is a H-path from a pair [u, z] to u. Now, we want to consider the relationship between cycles in M F and H-cycles in M. Given a pair [v 0, z 0 ] with z 0 out(v 0 ), a well-formed sequence v 0 v 1... v r is called connected to z 0 if for each l = 1,..., r there exist z l out(v l ) {ɛ}, and a H-path

8 from [v l, z l ] to z l 1 (note that v r may also be the output node z r 1 ). This definition simply captures the property that there is a path of M F from a state α v 0 v 1... v r β (with α, β possibly empty) to a state α v 0 z such that α v 0 is a common prefix to all the complete well-formed sequences of the visited states. Proposition 4. Let M be an SHSM and X = u 1... u m be a reachable state of M F. X belongs to a cycle in M F if and only if either: [u m, ɛ] belongs to a H-cycle or there exist 1 i < m and z out(u i ) such that [u i, z] belongs to a H-cycle and u i... u m is a well-formed sequence connected to z. The following proposition is crucial in our argument for NP-membership. Proposition 5. Given an SHSM M, the set of H-connected vertices and the set of pairs belonging to a H-cycle of M can be determined in O( M ). Therefore, we have the following theorem. Theorem 1. The problems Reach(M,ϕ) and Cycle(M,ϕ) for SHSMs are NP-complete. Efficient solutions. Here, we present some conditions on an SHSM M and a formula ϕ which allow us to give efficient algorithms for both Reach(M,ϕ) and Cycle(M,ϕ). First we define a partial evaluation of ϕ on a well-formed sequence and then we give the algorithms for the above two problems. Given a formula ϕ and two disjoint sets T, F AP, let Inst(ϕ, T, F ) denote the formula obtained by instantiating to true the atomic propositions of T and to false those in F. If we are given a state X of M F, then a propositional formula ϕ can be evaluated in X simply by computing Inst(ϕ, true(x), AP \ true(x)). To solve our problems, we would like to find a state in M F where ϕ is satisfied, using the SHSM M, without explicitly constructing M F. To this aim we use a greedy approach to evaluate ϕ: we visit top-down M and at each vertex u we instantiate as many atomic propositions as possible. The question is: which are the atomic propositions of ϕ can be instantiated? Surely, we can instantiate to true all the atomic propositions of true(u), while the atomic propositions which can be instantiated to false depend on the vertices that may follow u in any complete well-formed sequence of M. In other terms, an atomic proposition can be instantiated to false if it labels neither u nor vertices having u as an ancestor, that is it does not belong to a set true (u) defined as true (u) = true(u) v N expn + (u) true(v). Thus, we define the set of atomic propositions of ϕ that can be instantiated to false at a vertex u N h, as false(u) = AP \ true (u). Let us remark that the function false can be computed by visiting M just once. Given an SHSM M, a propositional boolean formula ϕ over AP and a wellformed sequence α of M, the partial evaluation of ϕ on α, is defined as { PEval(ϕ, ɛ) = ϕ PEval(ϕ, αu) = Inst(PEval(ϕ, α), true(u), false(u)). The following lemma ensures correctness of our approach.

9 Lemma 2. Given an SHSM M, a formula ϕ, and a state X = α of M F : PEval(ϕ, α) = Inst(ϕ, true(x), AP \ true(x)). In what follows w.l.o.g. we assume that the formula returned by a partial evaluation is simplified according to the following tautologies: (ψ true) ψ, (ψ false) false, (ψ false) ψ, (ψ true) true, ( true) false, ( false) true. We say that ϕ is constant if it is either true or false. Now, we are ready to define a condition to get polynomial-time algorithms for the problems Reach(M,ϕ) and Cycle(M,ϕ). Fix an SHSM M and a boolean formula ϕ. We say that the partial evaluations of ϕ in M are uniquely inherited iff: for every two well-formed sequences αu and βv, if expn(u) = expn(v) and both PEval(ϕ, αu) and PEval(ϕ, βv) are not constant, then PEval(ϕ, αu) = PEval(ϕ, βv). Assume w.l.o.g. that all the vertices of M are H-connected (from Proposition 5, an arbitrary SHSM can be simplified such that this holds using linear time). Thus from Proposition 3 all states of M F are reachable. Hence, using mainly Lemma 2, it is possible to design an algorithm that looks for a complete well-formed sequence α for which the function PEval(ϕ, α) gives TRUE. Such algorithm visits top-down the machines of M and evaluates PEval on well-formed sequences by computing iteratively the function Inst. Note that if the evaluations of ϕ are uniquely inherited, multiple visits of a machine M h are not needed, and thus the overall complexity of the algorithm is linear in M and ϕ. Theorem 2. Let ϕ be a formula and M be an SHSM such that the partial evaluations of ϕ in M are uniquely inherited. The problem Reach(M,ϕ) is decidable in time O( M ϕ ). The algorithm to solve the problem Cycle(M,ϕ) and its correctness strongly rely on the following Lemma 3 which is a direct consequence of Proposition 4. Lemma 3. Let M be an SHSM with all H-connected vertices, ϕ be a boolean formula and α = u 1... u j be a well-formed sequence such that PEval(ϕ, α) =true. There exists a well-formed sequence β such that αβ is a solution of the problem Cycle(M,ϕ) if and only if either a) there exists a H-cycle in M h, h expn + (u j ) or b) there exist i j and z 0 out(u i ) such that [u i, z 0 ] is in a H-cycle and u i... u j is a well-formed sequence connected to z 0. Theorem 3. Let ϕ be a formula and M be an SHSM such that the partial evaluations of ϕ in M are uniquely inherited. The problem Cycle(M,ϕ) is decidable in time O( M ϕ ). Note that for general ϕ and M, the above algorithms can be easily modified in such a way that each machine M h can be visited just once for each subformula of ϕ. Thus the following theorem holds. Theorem 4. Given an SHSM M and a formula ϕ, the problems Reach(M,ϕ) and Cycle(M,ϕ) are decidable in O( M 2 ϕ ) time.

10 Observe that when in M there are no context-properties (true(u) = for every box u), then the partial evaluations of every formula ϕ in M are uniquely inherited and thus Theorems 2 and 3 generalize those in [AY01]. We give a further condition on M and ϕ which let us get efficient algorithms when M is a CHSM. Let AP(ψ) be the set of atomic propositions of a formula ψ. We say that ψ is local to M vertices iff for every vertex u of M either AP (ϕ i ) (true(u) false(u)) = or AP (ϕ i ) (true(u) false(u)) = AP (ϕ i ) holds. It is possible to show that for a CHSM M, if ϕ is of the form ϕ 1 ϕ m where each ϕ i is local to M vertices, then the partial evaluations of ϕ in M are uniquely inherited. Corollary 2. Let M be a CHSM and ϕ be a conjunction of formulas which are local to M vertices. The problems Reach(M,ϕ) and Cycle(M,ϕ) are decidable in time O( M ϕ ). As a final remark, note that from Lemma 1, Reach(M,ϕ) and Cycle(M,ϕ) are NP-hard for SHSMs even if we restrict to conjunctions of formulas which are local to the vertices of the considered SHSM. 4 Ltl and Ctl Model Checking In this section we consider the verification of requirements expressed by Ltl and Ctl formulas. We recall a Büchi automaton A = (Q, q 1,, L, T ) is a Kripke structure (Q, q 1,, L) together with a set of accepting states T [Tho90]. Fix an SHSM M = (M 1,..., M k ) and a Büchi automaton A = (Q, q 1,, L, T ), with Q = {q 1,..., q m }. We define the graphs M (i,j,p ), where 1 i k, 1 j m, and P is a subset of AP such that P true M (in i ) = L(q j ). The vertices of M (i,j,p ) are 4-tuples [u, q, j, P ]. The third and fourth components are the same for all the vertices in the same graph and are needed only to distinguish vertices of different graphs. Components u and q are respectively vertices of M i and A such that: if u is a node, the labeling of q coincides with the labeling of u augmented with the set P of the atomic propositions that u inherits from its ancestors; if u is a box, with expn(u) = h, the labeling of q contains also the atomic propositions labeling the initial node in h of the expansion of u. Moreover, the edges in M (i,j,p ) are obtained from the edges of M i and A as in the standard Cartesian product of M i and A. The SHSM M = M A is inductively defined as follows. M (k,1, ) is the graph containing the starting node of M. Let M (i,j,p ) be a graph of M, and [u, q t, j, P ] be a vertex of M (i,j,p ). If expn M (u) = 0 then expn M ([u, q t, j, P ]) = 0. If expn M (u) = h > 0, and P = P true M (u) then M (h,t,p ) is a graph of M and expn M ([u, q t, j, P ]) is the index of M (h,t,p ). Finally, we use only an atomic proposition tgt to label vertices: true M ([u, q, j, P ]) is {tgt} iff q T. By a counting argument and the observation that for CHSMs the graphs M (i,j,p ) are uniquely determined by the indices i and j, we can show the following lemma. Lemma 4. Given an SHSM M, M = M A is an SHSM whose size is O(m 2 M A 2 AP ). Moreover, if M is a CHSM, then the size of M is O(m 2 M A ).

11 The language L(A) accepted by a Büchi automaton A is the set of all traces corresponding to paths visiting infinitely often a state of T. The SHSM M A can be used to check for emptiness the language given by the intersection of L(M) and L(A), as shown in the following lemma. Lemma 5. Emptiness of L(M) L(A) can be checked in time linear in the size of M A. Proof : Observe that the set of the traces of M F is the same as the set of traces of the Cartesian product of M F and A. Thus L(M) L(A) if and only if Cycle(M,tgt) is TRUE. Since the simple formula consisting of the sole atomic proposition tgt has only a partial evaluation, that is tgt itself, from Theorem 3 this problem can be checked in linear time. As a consequence of the above lemmas, we obtain an algorithm to solving the Ltl model checking for SHSMs. We construct a Büchi automaton A ϕ of size O(2 ϕ ) accepting the set L(A ϕ ) of the sequences that do not satisfy ϕ, and then ϕ is satisfied on all paths of M if and only if L(M) L(A ϕ ) is empty. Therefore, by Lemmas 4 and 5 we have: Theorem 5. The Ltl model checking on an SHSM M and a formula ϕ can be solved in O( M 16 ϕ ) time. Moreover, if M is a CHSM then the problem can be solved in O( M 8 ϕ ) time. Now we consider Ctl for expressing branching-time properties and sketch an algorithm to solve Ctl model checking. We fix an SHSM M = (M 1,..., M k ) and a temporal logic formula ϕ. Let P ϕ be the set of atomic propositions that appear in ϕ. The first step of our algorithm consists of constructing a hierarchical state machine M ϕ such that M F ϕ is isomorphic to M F. Let index : [1, k] 2 P ϕ [1, k 2 P ϕ ] be a bijection such that index(i, P i ) < index(j, P j ) whenever i < j. Clearly, index maps the pairs (i, P i ) into a strictly increasing sequence of consecutive naturals starting from 1. For a machine M i = (N i, in i, OUT i, true i, expn i, E i ), 1 i k and P P ϕ, define M P i as the machine (N P i, inp i, OUT P i, truep i, expnp i, EP i ) where: N P i = {u P u N i }, and OUT P i = {u P u OUT i }; true P i (up ) = true i (u) P if u is a node and true P i (up ) =, otherwise; expn P i (u) = 0 if u is a node and expnp i (u) = index(expn i(u), P true i (u)), otherwise; E P i = {(u P, v P ) (u, v) E i } {((u P, z P truei(u) ), v P ) ((u, z), v) E i }. We define M ϕ by the tuple of machines (M 1,..., M k ) such that for j = 1,..., k, M j = M P i where j = index(i, P ). From the definition of M P i it is simple to verify that M ϕ is a HSM and M ϕ is O( M 2 P ϕ ) = O( M 2 ϕ ). Moreover, M F ϕ and M F are identical up to a renaming of states. Therefore, by the results on HSMs from [AY01], we get the following theorem (where M is an SHSM, ϕ is a formula and d is the maximum number of exit nodes of a machine of M). Theorem 6. The Ctl model checking of SHSMs can be solved in O( M 4 ϕ d ) time.

12 References [ABE+05] R. Alur, M. Benedikt, K. Etessami, P. Godefroid, T. Reps, and M. Yannakakis. Analysis of recursive state machines. ACM Transactions on Programming Languages and Systems (TOPLAS), 27(4): , [AEM04] R. Alur, K. Etessami, and P. Madhusudan. A Temporal Logic of Nested Calls and Returns. In Proc. 10th International Conference on Tools and Algorithms for the Construction and Analysis of Systems, TACAS 04, LNCS 2988, pp , [AGM00] R. Alur, R. Grosu, and M. McDougall. Efficient reachability analysis of hierarchical reactive machines. In Proc. 12th International Conference on Computer Aided Verification, CAV 00, LNCS 1855, pages Springer, [AKY99] R. Alur, S. Kannan, and M. Yannakakis. Communicating hierarchical state machines. In Proc. 26th International Conference on Automata, Languages and Programming, ICALP 99, LNCS 1644, pp , [ALM03a] R. Alur, S. La Torre, and P. Madhusudan. Modular Strategies for Recursive Game Graphs. In Proc. 9th International Conference on Tools and Algorithms for the Construction and Analysis of Systems, TACAS 03, LNCS 2619, pp , [ALM03b] R. Alur, S. La Torre, and P. Madhusudan. Modular Strategies for Infinite Games on Recursive Graphs. In Proc. 15th International Conference on Computer Aided Verification, CAV 03, LNCS 2725, pp , [AMY02] R. Alur, M. McDougall, and Z. Yang. Exploiting Behavioral Hierarchy for Efficient Model Checking. In Proc. 14th International Conference on Computer Aided Verification, CAV 02, LNCS 2404, pp , [AY01] R. Alur and M. Yannakakis. Model checking of hierarchical state machines. ACM Transactions on Programming Languages and Systems (TOPLAS), 23(3): , [BLP06] L. Bozzelli, S. La Torre, and A. Peron. Verification of well-formed Communicating Recursive State Machines. In Proc. 7th International Conference on Verification, Model Checking, and Abstract Interpretation, VMCAI 06, LNCS 3855, pp , [CE81] E.M. Clarke and E.A. Emerson. Design and synthesis of synchronization skeletons using branching time temporal logic. In Proc. of Workshop on [CK96] Logic of Programs, LNCS 131, pages Springer-Verlag, E.M. Clarke and R.P. Kurshan. Computer-aided verification. IEEE Spectrum, 33(6):61 67, [LNPP03] S. La Torre, M. Napoli, M. Parente, G. Parlato. Hierarchical and Recursive State Machines with Context-Dependent Properties. In Proc. 30th International Conference on Automata, Languages and Programming, ICALP 03, LNCS 2719, pp , [LMP04] [Pnu77] [Tho90] R. Lanotte, A. Maggiolo, and A. Peron, Structural Model Checking for Communicating Hierarchical Machines. In Proc. 31st International Symposium on Mathematical Foundations of Computer Science, MFCS 04, LNCS 3153, pp , A. Pnueli. The temporal logic of programs. In Proc. 18th IEEE Symposium on Foundations of Computer Science, FOCS 77, pages 46 77, W. Thomas. Automata on infinite objects. In J. van Leeuwen, editor, Handbook of Theoretical Computer Science, volume B, pages Elsevier Science Publishers, 1990.